Overview

overview

10

Static

static

3

b9c1445929...7d.exe

windows7-x64

10

b9c1445929...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 02:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d.exe

  • Size

    888KB

  • MD5

    cf659feea0c1c9e0a1705e076b831f48

  • SHA1

    4e79ae9003d92a10d09fdb231512ca914c60a7c7

  • SHA256

    b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d

  • SHA512

    6ebf5d751d94772def751a6085e233e8cadb0c4c29193be247d0b11c977370ae82a2d5190bae463b0de60cbe8bf0c2c7a4b0dd84f9c2fd142e7ededc42afdfc4

  • SSDEEP

    12288:oXxu5oy0XhL9ljnp9zIO6S33Ys1fCjPfeCMVAgfMCf3e9:ohAcXhL9lV9cHSY2ZCMVAgfM

Score
10/10
modiloaderremcosremotehostpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:47212

officerem.duckdns.org:47212
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-I8N3XG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 16 IoCs
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d.exe
    "C:\Users\Admin\AppData\Local\Temp\b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir "\\?\C:\Windows "
      2⤵
        PID:2572
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c mkdir "\\?\C:\Windows \System32"
        2⤵
          PID:2516
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "C:\Windows \System32\3219816.exe"
          2⤵
            PID:2932
            • C:\Windows \System32\3219816.exe
              "C:\Windows \System32\3219816.exe"
              3⤵
              • Executes dropped EXE
              PID:2388
            • C:\Windows \System32\3219816.exe
              "C:\Windows \System32\3219816.exe"
              3⤵
              • Executes dropped EXE
              PID:2588
          • C:\Windows\SysWOW64\extrac32.exe
            C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d.exe C:\\Users\\Public\\Libraries\\Hmbaewme.PIF
            2⤵
              PID:2320
            • C:\Windows\SysWOW64\SndVol.exe
              C:\Windows\System32\SndVol.exe
              2⤵
              • Suspicious use of SetWindowsHookEx
              PID:1996

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\remcos\logs.dat
            Filesize

            144B

            MD5

            2501a4fb1300f002045a59a52a508e14

            SHA1

            4e7f0be891d2811e4c5b2e8226d685c92fe620b9

            SHA256

            ef4446b14794fa3467ce2d5f08117234a3088a100694adecf3ae3dc6f434e514

            SHA512

            872c9f882e1c5cb63178e5c994de791f511726e7b060a27c7d27e2a5de83ffb6c5ba1e6a49697969c28babf7ac526779110442580e96214484bf2014e968f386

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            67KB

            MD5

            753df6889fd7410a2e9fe333da83a429

            SHA1

            3c425f16e8267186061dd48ac1c77c122962456e

            SHA256

            b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

            SHA512

            9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TarA432.tmp
            Filesize

            175KB

            MD5

            dd73cead4b93366cf3465c8cd32e2796

            SHA1

            74546226dfe9ceb8184651e920d1dbfb432b314e

            SHA256

            a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

            SHA512

            ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

            Download Submit

          • C:\Windows \System32\3219816.exe
            Filesize

            128KB

            MD5

            231ce1e1d7d98b44371ffff407d68b59

            SHA1

            25510d0f6353dbf0c9f72fc880de7585e34b28ff

            SHA256

            30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

            SHA512

            520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

            Download Submit

          • memory/1444-0-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1444-1-0x0000000003140000-0x0000000004140000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1444-2-0x0000000003140000-0x0000000004140000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1444-4-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1444-5-0x0000000000400000-0x00000000004E8000-memory.dmp

            Filesize

            928KB

            Download

          • memory/1996-88-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-96-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-87-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-84-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-89-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-90-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-91-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-92-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-93-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-86-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-100-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-101-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-124-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-108-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-116-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1996-117-0x0000000000580000-0x0000000001580000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/2932-68-0x0000000000690000-0x0000000000691000-memory.dmp

            Filesize

            4KB

            Download